CVE-2024-25063: 
Hikvision HikCentral Professional vulnerability analysis and mitigation

A vulnerability in HikCentral Professional (CVE-2024-25063) was discovered and disclosed on March 1, 2024. The vulnerability affects versions below V2.5.1 (including V2.5.1) of HikCentral Professional, a centralized security management platform used by customers worldwide to safeguard assets and properties. The vulnerability stems from insufficient server-side validation, which could potentially allow unauthorized access to specific URLs (Hikvision Advisory, Security Online).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The technical root cause has been identified as insufficient server-side validation, which could allow an attacker to gain unauthorized access to certain URLs (NVD, Hikvision Advisory).

The vulnerability could allow an attacker to gain unauthorized access to specific URLs that they should not have access to. Given that HikCentral Professional is used by customers in over 200 countries and connects more than 5 million devices into a single, unified interface, the potential impact of this vulnerability is significant (Security Online).

Users are advised to update their HikCentral Professional installations to versions newer than V2.5.1. The fix has been made available in the March 1, 2024 update. Users should contact their local Hikvision technical support team to obtain the patched version (Hikvision Advisory, ASEC).

The vulnerability was responsibly disclosed to Hikvision's Security Response Center (HSRC) by security researchers Michael Dubell and Abdulazeez Omar (Hikvision Advisory).